Privately speaking is a quarterly publication tracking relevant developments in privacy legislation, regulation and case law.

Privacy is a fast developing area of law, both in New Zealand and internationally, and the risks for organisations from privacy breaches can be very high. This applies both when the organisation is the victim – as in industrial espionage – and when the organisation fails to maintain expected standards of data integrity and confidentiality.

NEW ZEALAND

Foreign ownership register

Land Information New Zealand (LINZ) has warned that designing an accurate foreign ownership of land register may raise privacy and Bill of Rights (BoRA) issues. The register’s accuracy would require establishing the ultimate owner of companies and trusts, and would require solicitors to provide citizenship information about buyers.

The Australian Government has established a register of foreign investment in the residential property market and is considering expanding this to include rural land purchases. The New Zealand Government has been publicly sceptical about how effective the policy will be but, recognising that there is some support for it in the electorate, has said it will follow with interest what happens in Australia.

Link: Fairfax article

Use of smart meters by utility companies

The Privacy Commissioner has advised power companies to take “additional care” in how they look after the data collected by smart meters. They should inform consumers how the data will be used, and have “strong security standards to ensure information is transmitted safely online”.

Link: Privacy Commissioner case note

Samsung Smart TVs

Consumer concerns have been raised over Samsung’s smart TV voice recognition feature. The accompanying privacy policy states: “Please be aware that if your spoken words include personal or other sensitive information, that information will be among the data captured and transmitted to a third party through your use of voice recognition.”

Criticisms include that the policy “leaves users with no knowledge or control over where the personal information goes or who has access to it”. In response, Samsung has reiterated that the captured data is encrypted to keep it safe.

Link: NZ Herald report

APEC Privacy Framework being updated

APEC hopes to have an update of its privacy framework completed by the end of this year. The New Zealand Privacy Commissioner has undertaken the review as part of an Australia, Canada and New Zealand stocktake group.

Areas identified for strengthening include:

  • introducing the concept of privacy management programmes
  • adding breach notification to the list of remedies, and
  • outlining factors to be considered in balancing trade considerations when restricting cross-border transfers for privacy reasons.

Link: Statement on the Privacy Commission website

Privacy Commissioner to monitor police use of personal data requests?

The Privacy Commissioner may create a central register to record Police requests for personal data without search warrants from service providers such as airlines, banks, electricity companies, telcos and internet providers. Police are said to rely on the Privacy Act’s  Principle 11, which permits disclosure of personal information where required “for the maintenance of the law”. The District Court has queried the legality of such demands.

Link: NZ Herald report

USA

Data breaches hit record high

According to the Identity Theft Resource Center, the number of US data breaches hit a record high of 783 in 2014, disclosing nearly 86 million records. The medical/healthcare industry accounted for 42.5% of the reported breaches and over 8 million disclosed records, followed by the business sector with 33% (but over 68 million disclosed records).

The financial sector performed best – accounting for 5.5% of breaches and only 1.4% of disclosed records. However, Kaspersky Lab (a cybersecurity firm), has released a report showing that hackers have stolen up to $1 billion from more than 100 financial institutions in 30 countries.

Links: Identity Theft Resource Center data breach report and Kaspersky Lab report

Microsoft adopts international privacy standard for cloud services

Microsoft is the first company to receive certification for the ISO privacy standard for the cloud.  ISO guidelines include:

  • control: only process personal data in accordance with customers’ instructions
  • consent: only process personal data for marketing/advertising purposes with the customer’s express consent
  • communication: notify customers in the case of a breach and keep clear records about the incident
  • transparency: disclose to the customer the identify of sub-processors and any possible locations where personal data may be processed, and
  • independent audit: obtain regular reviews of the cloud service provider’s compliance through an independent third party audit.

Microsoft’s General Counsel Brad Smith explains that the adoption of the ISO standard is just one of the ways the company has been exploring to strengthen customers’ privacy in the cloud.

Links: Microsoft announcement and Computer World article

Expensive settlements for Linkedin and Target

Linkedin has agreed to pay US$1.25 million and to implement industry-standard data security protocols to settle a user privacy class action suit. In 2012, Linkedin was hacked and the passwords for nearly 6.5 million users were stolen. Each claimant is likely to receive up to $50 from the $1.25 million settlement fund.

Target has agreed to US$10 million to settle its 2013 data breach, which exposed the credit card and personal information of up to 110 million customers.

Affected customers will be eligible to receive damages of up to $10,000 each and can claim for time spent dealing with the consequences of the breach, although recovery is limited to $10 an hour for up to two hours. Target will also implement measures to better safeguard consumer data. In the 2014 financial year, Target’s gross expenses arising from the breach topped US$191 million.

Links: Bloomberg BNA article and Target settlement

High standard for bringing data breach class actions

Claimants’ entitlement to bring data breach class actions is currently a hot topic in the US. In a March 2015 US District Court decision, the Judge  held that the plaintiffs did not have standing to sue because they weren’t able to demonstrate “actual misuse of the hacked data or specifically allege how such misuse is certainly impending”. In other words, the privacy breach is not in and of itself sufficient to prove standing. Similarly, in New Zealand, the Privacy Act expressly states its privacy principles generally “do not confer any legal right enforceable in a court of law”.

Link: Storm v Paytime (US District Court for Pennsylvania)

Legislative reform

President Barack Obama has put out for discussion a draft of the Consumer Privacy Bill of Rights Act. The Act would:

  • require compliance with fair information practice principles, which set out the legal obligations for the covered entities when collecting, creating, processing, using or disclosing personal data
  • require that data security measures are reasonable in light of the “privacy risks”, defined as those risks that cause emotional distress or physical, financial or professional harm to the consumer
  • impose civil penalties up to US$25 million, and
  • provide a safe harbour for those entities that adhere to codes of conduct approved by the Federal Trade Commission.

Link: Draft Consumer Privacy Bill of Rights Act

Federal Trade Commission releases the “Internet of Things” report

The Federal Trade Commission (FTC) has released a report detailing best consumer privacy and security practices for businesses engaged  in the “Internet of Things” (IoT). The IoT refers to the connection of everyday devices to the Internet and the transmission of data between those devices. This is to be a focus of the FTC’s enforcement action in the future.

Link: “Internet of Things” report

UK & EUROPE

Court decision against Google

The English Court of Appeal, in Google v Vidal Hall, determined two important issues of law - whether the cause of action for misuse of private information is a tort, and whether a claim for damage can be made under section 13 (compensation) of the Data Protection Act 1998 (DPA) without showing pecuniary loss.

The case concerns Google’s collection of information about the browsing habits of Safari users without their knowledge and consent. The Court ruled that misuse of private information should be considered a tort, rather than an equitable claim for breach of confidence. The Court also held that the DPA permits compensation for non-pecuniary loss, such  as distress, where privacy rights have been violated. In reaching this conclusion, the Court noted that distress is “often the only real damage caused by a contravention”.

Link: Google v Vidal Hall

EU Art 29 Working Group releases report on website cookie usage

A survey of 478 popular European websites, across the e-commerce, media and public sectors, has shown that many website operators inform their users about cookies but that:

  • expiry dates are often excessive, and
  • the websites still have more work to do on gaining valid consent for their use of cookies.

Link: Report – Cookie sweep combined analysis

Google ordered to improve its “vague” privacy policy

The UK Information Commissioner’s Office (ICO) has ordered Google to sign a formal undertaking to improve its “vague” privacy policy by addressing:

  • the lack of easily accessible information describing the ways in which, and the purposes for which, Google will process personal data, and
  • the lack of sufficient explanation of technical terms to service users.

Google must fix these issues by August 2015.

Outside of the UK, French and Spanish data protection authorities have fined Google €150,000 and €900,000 respectively for breach of their privacy laws and the Dutch data protection authority is currently threatening Google with a €15 million fine.

Link: Google’s undertaking

Half of British consumers think their privacy is at risk

New research shows that almost half of UK consumers are concerned that their personal data is not safe and that most rate data security as equally important to product and service quality when choosing where to shop.

Link: Symantec’s 2015 State of Privacy report